The Canadian government is doubling its support for programs to prevent radicalization, but couldn’t find any new cash for the overworked agencies that keep tabs on the country’s spies. Amid controversy last year over Justin Trudeau’s support for anti-terrorism Bill C-51, the Liberals pledged to create an office that would tackle radicalization. In its first budget this week, the government revealed the new office of the Community Outreach and Counter-radicalization Co-ordinator will receive an additional $35 million over five years. The officials say the domestic anti-radicalization money supports “a whole-of-government approach” that involves the RCMP, CSIS, border agents, local governments and community groups. [Source] See also: [Ottawa Citizen: PM Says Not ‘At War’ but Increases Use of Hated C-51 Powers]and [Angus Reid Survey Finds Huge Support for C-51]
Two Liberal cabinet ministers who had criticized a controversial agreement to provide Canadian banking records to the U.S. Internal Revenue Service now say they support the deal. Speaking on the way into a cabinet meeting, Treasury Board President Scott Brison and Transport Minister Marc Garneau rallied behind the position adopted last week by Revenue Minister Diane Lebouthillier, supporting the deal struck under the Harper government that saw 155,000 Canadian banking records shared with the IRS last September. [iPolitics] [Revenue Minister Asked to Testify on Records Transfer to IRS]
Premier Christy Clark’s cabinet may appoint a temporary replacement for B.C.’s privacy watchdog, after the abrupt departure of commissioner Elizabeth Denham caught MLAs who were planning to re-appoint her by surprise. Denham told government this week that the United Kingdom had nominated her as its new information commissioner, and she would leave her B.C. post when her term expires on July 6. The all-party committee of the legislature is now faced with the potentially lengthy process of launching a global search for her replacement, which the committee’s deputy chair admits may not be finished before Denham leaves in July. The normal procedure would be for the all-party committee to make a unanimous recommendation to the legislature, and the legislature to affirm that choice. But if the committee can’t agree on a name before Denham leaves in July, cabinet has the power to slot its own candidate as acting commissioner. That person would serve until the committee makes its choice. The entire process, including legislative confirmation, could take up to a year if government doesn’t convene a fall session. [Source] [BC’s Info and Privacy Watchdog Departs for Britain] [B.C. privacy commissioner Elizabeth Denham moving on to bigger things ]
CA – Alberta Court Finds It Is Not Urgent or Necessary for Law Society to Review a Former Member’s Phone and Computer Records
The Law Society of Alberta sought an order compelling Justin Sidhu to produce records in compliance with the Legal Professions Act. An order compelling access to a former member’s cellphone and computer records following his conviction on charges drug trafficking is denied; if the conviction is upheld on appeal that would be proof of the misconduct and therefore the need for the information is neither urgent nor necessary at this time. [Law Society of Alberta v Sidhu – 2016 ABQB 142 CanLII]
The Government of Nunavut’s efforts to make the administration of its municipalities more transparent has stalled. That’s because consultations with community governments on how to bring their operations under the Access to Information and Protection of Privacy Act are at a “standstill,” according to Nunavut government documents. “In the past year, consultations with municipalities have been at a standstill due to capacity issues within the ATIPP office,” the GN said in a document tabled March 15 in the Nunavut legislature. In the document, the GN responds to 11 recommendations made by a standing committee of MLAs, which reviewed the 2014-15 annual report by Nunavut’s information and privacy commissioner. [Source]
The Chairmen of two House Committees have announced the creation of an encryption working group to examine the complicated legal and policy issues surrounding encryption; the group will identify potential solutions that preserve the benefits of strong encryption while also ensuring law enforcement has the tools needed to keep Americans safe and prevent crime. The House Judiciary Committee and Energy and Commerce Committee have primary jurisdiction over encryption and the issues it presents for citizens, law enforcement, and American technology companies. [Committee on Energy & Commerce] [FCW]
The UK Information Commissioner’s Office released its first guidance on the General Data Protection Regulation (GDPR): the 12 steps that businesses can start taking now to prepare for the GDPR. The ICO also launched a new microsite on the GDPR. Here is a summary:
- Ensure awareness amongst key stakeholders in the organisation.
- Document the personal data that they hold, where it came from and with whom they share it.
- Review current privacy notices and put a plan in place for making any necessary changes.
- Check existing procedures to ensure that they cover all the rights data subjects now have.
- Look at the various types of data processing they carry out, identify and document legal basis.
- Ensure process and procedures are documented – to help demonstrate compliance with the accountability requirements. [Source] [Press Release] [blog entry]
The European Data Protection Supervisor has released new guidance on Information Security Risk Management, “which advises EU institutions on how to ensure a secure and trustworthy digital environment for the information that is essential for the functioning of their services.” “The security of personal data is a legal requirement, but it is also necessary in the interests of organisations that rely on the use of information for their daily business … I urge the hierarchies in the EU institutions to engage in the tailored development and use of information security risk management processes to address the specific needs of their organisation.” [EDPS Press Release]
- The controversial UK Investigatory Powers Bill passed its second reading in Parliament, bringing it one step closer to fruition. The proposed legislation garnered 281 votes for as opposed to only 15 against, with both the Labour and Scottish National parties abstaining.
- Digital Commissioner Gunther Oettinger said the EU-U.S. Privacy Shield agreement should go live this June.
- The European data protection supervisor has released a working document covering relevant privacy and data protection case law in the EU between Dec. 1, 2014 and Dec. 31, 2015.
- The U.K. Information Commissioner’s Office unveiled dpreform.org.uk on its official site for posting information about data protection reform, including under the General Data Protection Regulation.
Bank of Montreal customers who use MasterCard to make online purchases will be taking selfies for a whole new reason this summer, as BMO becomes the first Canadian bank to support MasterCard’s new Identity Check mobile app, colloquially known as “selfie pay,” the companies announced. So far, around 200 BMO employees with corporate credit cards have been signed up for the biometric-based feature, which complements the company’s existing MasterPass service by using facial recognition and fingerprint scanning technology to verify online payments. [IT Business]
The Sedona Canada Principles are revised in a second edition. Principle 2 (proportionality) has been revised to create a 5-part test for applying the “reasonableness” principle; principle 7 (electronic tools) recommends that the parties agree in advance on the tools to be used, and principle 11 (sanctions) is revised to recommend that the Court consider sanctions where a party fails to meet its discovery obligations. [New Edition of the Sedona Canada Principles for E-Discovery – Kirsten Thompson, Partner, and Nolan Hurlburt, Associate, McCarthy Tetrault]
The OIPC BC reviewed a decision by the Office of the Police Complaint Commissioner to deny access to records requested pursuant to FIPPA. For records to be except from FIPPA, due to provisions under the Police Act, they must relate the operational records, but not administrative records; based on the video evidence provided the records at issue are operational records of the Police Complaint Commissioner because they are part of a specific case file and relate to the exercise of the Police Complaint Commissioner’s functions under the Police Act. [OIPC BC – Order F16-13 – Office of the Police Complaint Commissioner]
The government’s Phase 2 HIPAA audits began March 21. Phase 2 will consist of 200 desk and on-site audits of both covered entities and business associates. The compliance audits are intended to determine if health-care organizations and their contractors are complying with HIPAA privacy and security rules. The first phase of the HIPAA audits was conducted as a pilot program in 2011 and 2012, focused solely on covered entities, while Phase 2 will include both covered entities and business associates. The desk audits are expected to be completed by December, while the more comprehensive on-site audits will begin later in the year. The OCR has reached nine major settlement agreements regarding HIPAA breaches since last March, resulting in a total of $11 million in fines. Some of the lessons learned as a result of the OCR’s enforcement efforts, included the need for companies to:
- safeguard all paper records, even if most records have migrated to an electronic format;
- maintain business associate agreements with all business associates;
- perform a comprehensive risk analysis of all sources of protected health information, not just electronic health records; and
- translate the results of a risk analysis into a robust risk management plan.
The Government Accountability Office released a report identifying several weaknesses in the security of Healthcare.gov. In a span stretching from October 2013 to March 2015, the Centers for Medicare & Medicaid Services reported 316 security-related incidents affecting the site. The breaches mostly consisted of mailing sensitive information to the wrong recipients and the probing of CMS systems by potential attackers. Despite CMS’ efforts to protect the privacy and security of the data maintained through the systems supporting Healthcare.gov, the GAO noted various trouble spots, including faults in technical controls that could place sensitive information at risk for unauthorized disclosure and controls that protect data flowing through data hubs. The GAO, however, noted that hackers did not successfully compromise any personally identifiable information during that span. [Full Story]
Hackers held the computer systems of two California-based Prime Healthcare Services’ hospitals for ransom last week. A Prime Healthcare spokesman said that the incident didn’t cripple the internal systems, hospitals remained “operational,” and the FBI is investigating the incident. While not elaborating on the ransom, he called the situation “similar to challenges hospitals across the country are facing.” Meanwhile, Chubb’s Global Cyber Risk Practice announced the launch of a ransomware service for policyholders. “Many businesses are not equipped to deal with a cyber-extortion attempt, where the timeliness of the response is even more critical,” said Global Cyber Risk. [Kaiser Health News]
Doctors who photograph skin conditions using unsecured, personal mobile phones could be breaching patient privacy. In an article in the Medical Journal of Australia, researchers say using telemedicine for diagnosing dermatological conditions was popular because it sped up treatment and improved patient outcomes, particularly in regional areas where there are few specialists. However doctors and medical institutions endangered patient privacy, as well as their own indemnity insurance and confidentiality clauses of their employment contracts, if they failed to protect confidential patient records by using unsecured mobile phones and emails. [Source]
The Global Privacy Enforcement Network (“GPEN”), an informal network of 59 privacy enforcement authorities in 43 jurisdictions around the world, has released its 2015 annual report. Highlights:
- Launched GPEN Alert, a new information sharing system that enables participating authorities to better coordinate international efforts in protecting consumer privacy.
- 18 teleconferences held in the Atlantic and Pacific regions to connect authorities and to build and share expertise. Two face-to-face meetings in Ottawa and Amsterdam
- Third annual Privacy Sweep spotlighted the privacy practices of websites and apps targeted specifically at, or popular with, children. [Report]
The police are to consolidate a number of their large databases into a single “platform” in order to “protect victims and spot potential links to other crimes.” The plans for a “National Law Enforcement Data Programme” were announced by the Home Office this week and will bring together data from the Police National Computer, Police National Database and Automatic Number-Plate Recognition (ANPR) systems “onto a single platform.” However, last year the legality of the ANPR database – which collects a “record for all vehicles passing by a camera… including those for vehicles that are not known to be of interest at the time of the read“ – was called into question by the Surveillance Camera Commissioner. The National ANPR data centre now holds information on 22 billion car journeys. Other measures contained within the Modern Crime Prevention Strategy (PDF) include an “explicit focus on data and technology” and the use of “predictive policing”. [Source] [UK tech industry welcomes government’s new anti-crime strategy]\
Police who abuse official law enforcement databases must receive stronger penalties, says a civilian oversight agency. A study by the Denver Office of the Independent Monitor documented 25 cases of the city’s police misusing the database in the past 10 years. “These databases contain vast amounts of personal information about the American public, including community members in Denver,” said the agency’s Independent Monitor. “When they are misused, reprimands are not commensurate with the seriousness of that violation, and may not be strong enough to deter future abuse.” [New York Times]
The City of Hamilton Police Services Board did not delete sensitive data from former Chief Glenn De Caire’s police-issued laptop and mobile phone, items he was able to keep post-retirement. This potential oversight sparked privacy concerns, but law enforcement officials say there’s nothing to fear. “I don’t know whether he downloaded anything,” said the Police Services Board Chair Lloyd Ferguson. “I trust Glenn and I don’t know whether he would’ve saved anything to the hard drive.” That problem is bigger than that, argued Ryerson University’s Ann Cavoukian. “It’s not that we don’t trust the former police chief. It’s that accidents happen,” she said. “I don’t want to suggest otherwise, but nonetheless this material has to be governed by strict policies and protocols.” [CBC Hamilton]
Correctional Service Canada’s use of surveillance inside a federal prison has sparked an official investigation by the Ontario Provincial Police and a lawsuit from the jail guards. Officials used cell-site simulators, or IMSI catchers, to locate prisoners’ contraband cellphones, but the technology also grabbed private data from the guards’ cellphones as well. Indiscriminate surveillance programs can be considered a violation of the Criminal Code, but lawyers argue that this may be tricky to prove, as there is a lack of legal precedent that exists for prison surveillance. Regardless, “CSC officials have recently stopped giving statements to lawyers pursuing the civil suit,” the report adds. [The Globe and Mail]
In a new class-action lawsuit, plaintiffs claim Facebook spied on users who relayed private health information on major cancer institutes’ websites in order to make profit off the data in advertising revenue. Winston Smith has sued Facebook, the American Cancer Society, the American Society of Oncology and five others alleging Facebook uses the private health data it takes from the medical institutes’ websites, which feature a secret “Facebook code” capable of transmitting users’ data to the social media site, to create targeted advertising campaigns. [Courthouse News Service]
Facebook’s has launched new race-based marketing campaigns. In a recent campaign, ads for N.W.A.’s “Straight Outta Compton” were served in different ways to three different audiences: black, white or Hispanic. Facebook calls it “ethnic affinity” targeting, and it’s been pushing it since 2014. It appeals to advertisers seeking a certain group. But Facebook users aren’t required to declare their racial or ethnic identity in their profiles. A Facebook executive explained that to construct a profile of a user’s identity, the company looks at “indicators” like your interests, friends and organizations you belong to. [Ars Technica]
Adobe has announced plans for cross-device targeting, which would not only notify technologists when the same individual is using different devices, but also provides companies a new way to target ads. To do so, members of the new Adobe Marketing Cloud Device Co-op will share data with each other. “So if Company X has been able to use login data to establish that two devices belong to the same person, other members of the co-op take advantage of that fact and tailor their advertising accordingly.” The plan has sparked privacy concerns, but Adobe said the participating advertisers must opt-in, and the shared data is not personally identifiable. [TechCrunch]
It’s no mystery to most privacy professionals, but the impact one’s data footprint can have on everyday life is beginning to be well chronicled in mainstream media. Fast Company published a long-form work on the myriad decisions that are made via personal data, often without the data subject’s knowledge. From the presence of police in your neighborhood (or not) to the potential dates you’re presented with on your dating site of choice to the job you are offered (or not), the report details how data may be impacting your life experiences. The article’s conclusion? “[E]thical considerations need to be guiding us.” [Full Story]
The NSW Legislative Council Standing Committee on Law and Justice has recommended in its report Remedies for the serious invasion of privacy in New South Wales the establishment of a statutory cause of action for serious invasions of privacy. The Committee recommended that, in establishing the statutory cause of action, it should be based on the Australian Law Reform Commission’s (ALRC) model detailed in its 2014 report Serious Invasions of Privacy in the Digital Era (which was the subject of considerable focus during the Committee’s inquiry). The report’s recommendations were made by MPs from four parties, including those of the Coalition, so this is clearly an idea in the mainstream of NSW political thought. Nothing will happen, however, until the NSW Government’s response to the report, which is expected by 5 September 2016. [Clayton Utz Insights]
The FTC entered into an agreement with Sitesearch Corporation et alia following alleged violations of the FTC Act. The data broker is permanently restrained from selling, transferring, or otherwise disclosing a consumer’s sensitive personal information to any third party without consent, it must not misrepresent that a consumer has authorized or consented to the purchase of a product or service, or the nature or terms of any refund, cancellation, exchange, or repurchase policy. [FTC v. Sitesearch Corporation – Final Judgment and Order for Injunctive and Other Relief – United States District Court for the District of Arizona]
A New York contractor will pay $3.1 million and undergo oversight for the next five years for violating a contract that involved outsourcing the personal information of millions of individuals to a company in India. Focused Technologies Imaging Services was tasked with digitizing 22 million files maintained by the State Division of Criminal Justice Services, which included fingerprints, Social Security numbers, signatures and dates of birth. For $82,000, the company shipped the files of millions of individuals to an Indian-based company for processing. Though the state contract required Focused Technologies’ employees pass background checks prior to processing as an added protection for the records, the company to which the records were outsourced did not conduct background checks on its employees. [The New York Times]
A jury awarded former wrestler Hulk Hogan $115 million (About $1,138,613 per second) after finding that news site Gawker violated his privacy by publishing a sex tape of Hogan without his consent. The jury awarded Hogan $60 million for emotional distress and an additional $55 million for economic damages, with the possibility of more. “This is a victory for everyone who has had their privacy violated,” said Hogan’s attorney. University of Miami School of Law professor Mary Anne Franks said, “People are thinking a little bit more about the concept of what is newsworthy, because what’s changed is the concept of who a public figure is.” The case comes a week after sports reporter Erin Andrews won $55 million for having her privacy violated by a stalker. [Reuters]
A Florida jury ruled that in addition to its $115 million fine, Gawker must pay $25 million in punitive damages for posting wrestling star Hulk Hogan’s sex tape online without consent. The jury also required the news outlet’s CEO Nick Denton to pay a $10 million fee. “I think we made history today, because I think we protected a lot of people today who may be going through what I went through,” Hogan said. The company said it would appeal the ruling. “We are confident we will win this case ultimately based on not only on the law but also on the truth,” Gawker said in a statement. [Reuters]
Massachusetts Institute of Technology and Harvard University research teams are developing a tool that gives mobile users the “final say” on how and when their data is accessed by applications. The cryptography-based program, called Sieve, encrypts and stores user information in the cloud, dispensing data-access requests to the user when an application wants to employ the data. [ZDNet]
A new McAfee Labs survey of 500 private-sector companies indicated that more than a third of cybersecurity professionals “remain hesitant” to share threat intelligence with members of other industries. 63% of respondents would participate in reciprocal threat sharing. The problem, according to the study, lies in companies’ “misunderstanding” of the information appropriate to share. “When an organization begins to implement a [cyber-threat intelligence] sharing effort, it runs afoul of policies that dictate that no confidential data or [personally identifying information] can leave the organization. This is, of course, generally a good policy but the lack of understanding of the content being shared becomes self-defeating in this case.” [FedScoop]
An Office of Management and Budget annual performance review found that 77,000 “cyber incidents” befell the U.S. government in 2015, a 10% increase from 2014. The study defines these incidents as “a violation or imminent threat of violation of computer security policies, acceptable use policies, or standard computer security practices,” and names the government’s increased ability to identify data breaches and employee security gaffes as partly responsible for the larger total, the report states. Regardless, “malicious actors continue to gain unauthorized access to, and compromise, federal networks, information systems, and data,” the study said. [Reuters]
The FTC is advising mobile app developers that it has its eye on technology that could allow phones to monitor TV viewing habits and relay that to targeted third-party advertisers. In a blog post this week, the FTC pointed out it was sending letters—from the associated director of the Privacy and Identity Protection division—to app developers whose apps use software created by Silverpush that runs in the background and enables phones to “listen” for embedded audio signals in TV programs to determine what TV shows or ads are playing (sort of like a Shazam for TV content), even when the app is not being actively used. The app “could” create a log of such TV content. [Source] [FTC Raps Android Developers For Using SilverPush Software]
In a forthcoming California Law Review paper titled “Limitless Worker Surveillance,” the authors argue that the government should establish employee surveillance protection laws that would balance an employer’s right to efficiency and a worker’s right to privacy in an increasingly connected world. “While employers have a reasonable interest in ensuring the productivity of their workers and in dissuading misconduct in the workplace, that interest does not outweigh the human right to privacy and personal liberty in domains that have been traditionally considered as separate from work and the workplace,” the research states. They dub their proposed law the “Employee Privacy Protection Act,” and maintain that the same legal protections should be extended to health care workers, as well. [Information Week]